This is when I noticed something. I know that the route engine will continue checking route entries until it finds a match (or show an error if it cant find a match) but I thought this only applied to the url parameter and not a combination of the url and
the applied constraints. So what I found out is in order for a MapRoute to be executed both the URl and Contraints all have to be satisfied or it will try the next route in the list.

So if my LocalContraint returns true and the url is /Secure then my SecureController is invoked, however if the LocalConstraint returns false and the path is /Secure the route mapping is ignored, the SecureController isn't invoked (correct behaviour) and
the route engine finds a match with the Default route and the page is displayed anyway. Stephen mentions this in this blog entry

"It is important to understand that even though this particular route cannot be accessed by an anonymous user, a later route might map an anonymous user to the same controller and controller action. For example, if the Admin route is followed by the following
Default route, then a user can access the Admin pages

For this reason, you should explicitly exclude the Admin pages from the Default route with an explicit constraint."

Could anyone explain to me how to modify the Default route to exclude the /Secure path?